DNS Patch Might Ship Out-of-Band

Windows Vista notwithstanding, it's been a tough year for Microsoft security, and we've just started the second quarter. After proudly proclaiming that it would not ship any security updates as part of its regularly scheduled monthly security patch release in March, Microsoft was forced to ship an out-of-band (OOB) security update to handle an animated cursor vulnerability that affected multiple Windows versions.

That happens occasionally. Unfortunately, a month later, it could be happening again. This week, Microsoft revealed that it will soon ship a security patch for the recently discovered DNS vulnerability, also present in several Windows versions. As of this writing, Microsoft hopes to ship this patch as part of its regular May patch shipment, due May 8. But with attacks on the rise, Microsoft is looking at delivering the DNS patch ahead of schedule. Hey, you weren't busy this week anyway, right?

"We have teams around the world working on \[the DNS patch\] twenty-four hours a day and hope to have updates no later than May 8, 2007, for the May monthly bulletin release," Christopher Budd wrote in the Microsoft Security Response Center (MSRC) blog last week. "However, this is a developing situation, and we are constantly evaluating the situation and the status of our development and testing of updates."

Since that posting, the MSRC blog has been updated with more information about the vulnerability, the four known exploits, and information about working around the problem until the fix is available. The Microsoft article "How to disable remote administration of the DNS Server service in Windows Server 2003 and in Windows 2000 Server" at http://support.microsoft.com/kb/936263 explains how to disable remote administration of DNS, which will help protect you against this vulnerability.

MSRC blog

http://blogs.technet.com/msrc/

A Windows XP Resurgence? In an unrelated development, PC maker Dell last week revealed that it will start offering consumers a choice of Windows Vista and XP on some Dimension desktops and notebooks, a reversal of an early policy to offer only Vista on such machines. (Dell, like other enterprise-oriented PC makers will continue offering XP and Vista on its business machines through at least the end of 2008.)

I wouldn't read too much into Dell's decision. Dell is in the middle of an ugly restructuring, and the company recently forced out CEO Kevin Rollins, placing founder Michael Dell back in charge of day-to-day operations. As part of his strategy to begin listening more closely to customers, Mr. Dell started an "Idea Storm" Web site through which customers could suggest and vote on changes. The highest profile change that Dell will soon institute is to offer desktop versions of Linux on selected PCs. That's a noble gesture, but I think most would agree that it's never going to turn into a huge business for Dell. Likewise, I think the decision to bring back XP, ultimately, isn't going to amount to much.

Here's why: Consumers typically rally around the latest and greatest Windows version, especially when it offers distinct advantages over the previous versions. In a few rare cases--Windows Me comes to mind--this hasn't worked out well for customers, but for the most part, new Windows versions tend to quickly displace previous versions in the market. Yes, Microsoft helps that along for obvious reasons, but unlike businesses, consumers typically respond positively to new software. So while XP will return somewhat, don't expect it to make much of a splash, except as a short-term gain for Dell's image. On the enterprise side, of course, businesses will migrate as they always have: on their own schedules.